diff --git a/ChangeLog b/ChangeLog
index 8cccb53..dc44220 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2013-12-13  Niibe Yutaka  <gniibe@fsij.org>
 
+	* polarssl/library/bignum.c (mpi_exp_mod): Initialize lower
+	half of T with zero.
+	(mpi_montmul: Don't need to clear lower half of
+	T, as we keep zero.  Call mpi_sub_hlp with upper half of T.
+	(mpi_montred): Ditto.
+
 	* polarssl/library/bignum.c (mpi_montmul, mpi_montred): Minimize
 	number of limbs for T.
 	(mpi_exp_mod): Only allocate N-n * 2 for T.
diff --git a/polarssl/library/bignum.c b/polarssl/library/bignum.c
index 6633d73..e4bbe9c 100644
--- a/polarssl/library/bignum.c
+++ b/polarssl/library/bignum.c
@@ -1358,7 +1358,6 @@ static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm, const mp
     d = T->p;
     n = N->n;
     m = ( B->n < n ) ? B->n : n;
-    memset( d, 0, n * ciL );
 
     for( i = 0; i < n; i++ )
     {
@@ -1380,7 +1379,7 @@ static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm, const mp
         mpi_sub_hlp( n, N->p, A->p );
     else
         /* prevent timing attacks */
-        mpi_sub_hlp( n, A->p, T->p );
+        mpi_sub_hlp( n, A->p, d);
 }
 
 /*
@@ -1393,7 +1392,6 @@ static void mpi_montred( mpi *A, const mpi *N, t_uint mm, const mpi *T )
 
     d = T->p;
     n = N->n;
-    memset( d, 0, n * ciL );
 
     for( i = 0; i < n; i++ )
     {
@@ -1421,7 +1419,7 @@ static void mpi_montred( mpi *A, const mpi *N, t_uint mm, const mpi *T )
         mpi_sub_hlp( n, N->p, A->p );
     else
         /* prevent timing attacks */
-        mpi_sub_hlp( n, A->p, T->p );
+        mpi_sub_hlp( n, A->p, d);
 }
 
 /*
@@ -1462,6 +1460,7 @@ int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
     MPI_CHK( mpi_grow( X, j ) );
     MPI_CHK( mpi_grow( &W[1],  j ) );
     MPI_CHK( mpi_grow( &T, j * 2 ) );
+    memset( T.p, 0, j * ciL );	/* Clear the lower half of T.  */
 
     /*
      * Compensate for negative A (and correct at the end)